@opensaas/stack-core 0.23.0 → 0.25.0

package/dist/context/nested-operations.js

@@ -1,5 +1,6 @@
 import { checkAccess, filterWritableFields, getRelatedListConfig } from '../access/index.js';
-import { executeResolveInput, executeValidate, executeFieldResolveInputHooks, validateFieldRules, ValidationError, } from '../hooks/index.js';
+import { checkFieldAccess } from '../access/field-access.js';
+import { executeResolveInput, executeValidate, executeFieldResolveInputHooks, executeBeforeOperation, executeAfterOperation, executeFieldBeforeOperationHooks, executeFieldAfterOperationHooks, executeFieldValidateHooks, validateFieldRules, ValidationError, } from '../hooks/index.js';
 import { getDbKey } from '../lib/case-utils.js';
 /**
  * Check if a field config is a relationship field
@@ -8,14 +9,115 @@ function isRelationshipField(fieldConfig) {
     return fieldConfig?.type === 'relationship';
 }
 /**
- * Process nested create operations
- * Applies hooks and access control to each item being created
+ * Resolve the related list name for a related list config (config object identity).
  */
-async function processNestedCreate(items, 
+function findListName(
 // eslint-disable-next-line @typescript-eslint/no-explicit-any -- ListConfig must accept any TypeInfo
-relatedListConfig, context, config) {
+relatedListConfig, config) {
+    for (const [listKey, listCfg] of Object.entries(config.lists)) {
+        if (listCfg === relatedListConfig) {
+            return listKey;
+        }
+    }
+    return '';
+}
+/**
+ * Read the rows of a parent's included relation as an array.
+ *
+ * A to-one relation comes back as a single row (or `null`); a to-many relation
+ * comes back as an array. This normalises both to an array so callers can apply
+ * a uniform id-diff.
+ */
+function includedRows(parentResult, fieldName) {
+    const included = parentResult[fieldName];
+    if (included == null)
+        return [];
+    if (Array.isArray(included))
+        return included;
+    return [included];
+}
+/**
+ * Recover an UPDATED nested row from the parent result by its known id.
+ *
+ * The updated row's id is known up front (it was fetched for access as
+ * `originalItem`), so the persisted row is the included row with that id.
+ */
+function recoverUpdatedRow(parentResult, fieldName, knownId) {
+    if (knownId === undefined)
+        return undefined;
+    return includedRows(parentResult, fieldName).find((r) => r.id === knownId);
+}
+/**
+ * Recover the CREATED nested rows from the parent result by id-diff.
+ *
+ * Created rows have no known id before the write, so they are identified as the
+ * included rows whose ids are NOT in `preExistingIds` (the set of related-row
+ * ids captured before the persist). Returned in include order, which the create
+ * handler pairs to its create-payload entries by position (see
+ * {@link CreatedRowRecovery}).
+ */
+function recoverCreatedRows(parentResult, fieldName, preExistingIds) {
+    return includedRows(parentResult, fieldName).filter((r) => typeof r.id === 'string' && !preExistingIds.has(r.id));
+}
+function createCreatedRowRecovery(fieldName, preExistingIds) {
+    let cache;
+    return {
+        rowAt(parentResult, index) {
+            if (!cache || cache.source !== parentResult) {
+                cache = {
+                    source: parentResult,
+                    rows: recoverCreatedRows(parentResult, fieldName, preExistingIds),
+                };
+            }
+            return cache.rows[index];
+        },
+    };
+}
+/**
+ * Capture the ids of the rows currently linked to the parent via `fieldName`,
+ * BEFORE the parent persists. Used to identify which included rows are NEW
+ * (created by this write) afterwards.
+ *
+ * - For a parent CREATE there are no pre-existing related rows (the parent does
+ *   not exist yet), so the set is empty.
+ * - For a parent UPDATE we read the parent row's current relation and collect
+ *   its ids. The same `tx` client is used so the read participates in the
+ *   transaction and sees a consistent snapshot.
+ */
+async function capturePreExistingIds(parentListName, parentOriginalItem, fieldName, prisma) {
+    const ids = new Set();
+    const parentId = parentOriginalItem?.id;
+    if (typeof parentId !== 'string') {
+        // Parent create (no existing row) — nothing pre-exists.
+        return ids;
+    }
+    // Access Prisma model dynamically - required because model names are generated at runtime
+    // eslint-disable-next-line @typescript-eslint/no-explicit-any
+    const parentModel = prisma[getDbKey(parentListName)];
+    if (!parentModel?.findUnique)
+        return ids;
+    const current = await parentModel.findUnique({
+        where: { id: parentId },
+        include: { [fieldName]: true },
+    });
+    for (const row of includedRows((current ?? {}), fieldName)) {
+        if (typeof row.id === 'string')
+            ids.add(row.id);
+    }
+    return ids;
+}
+/**
+ * Process nested create operations.
+ *
+ * Runs the target list's full input pipeline (resolveInput → validate →
+ * field-rules → filter-writable → recurse) AND its `beforeOperation`, then
+ * registers an `afterOperation` task keyed to the parent's included relation.
+ */
+async function processNestedCreate(items, fieldName, relatedListName, 
+// eslint-disable-next-line @typescript-eslint/no-explicit-any -- ListConfig must accept any TypeInfo
+relatedListConfig, context, config, prisma, afterTasks, recovery) {
     const itemsArray = Array.isArray(items) ? items : [items];
-    const processedItems = await Promise.all(itemsArray.map(async (item) => {
+    const processedItems = await Promise.all(itemsArray.map(async (item, index) => {
         // 1. Check create access (skip if sudo mode)
         if (!context._isSudo) {
             const createAccess = relatedListConfig.access?.operation?.create;
@@ -27,15 +129,7 @@ relatedListConfig, context, config) {
                 throw new Error('Access denied: Cannot create related item');
             }
         }
-        // 2. Get the list name for this related config
-        let relatedListName = '';
-        for (const [listKey, listCfg] of Object.entries(config.lists)) {
-            if (listCfg === relatedListConfig) {
-                relatedListName = listKey;
-                break;
-            }
-        }
-        // 3. Execute list-level resolveInput hook
+        // 2. Execute list-level resolveInput hook
         let resolvedData = await executeResolveInput(relatedListConfig.hooks, {
             listKey: relatedListName,
             operation: 'create',
@@ -44,9 +138,9 @@ relatedListConfig, context, config) {
             item: undefined,
             context,
         });
-        // 4. Execute field-level resolveInput hooks
+        // 3. Execute field-level resolveInput hooks
         resolvedData = await executeFieldResolveInputHooks(item, resolvedData, relatedListConfig.fields, 'create', context, relatedListName);
-        // 5. Execute validate hook
+        // 4. Execute validate hook
         await executeValidate(relatedListConfig.hooks, {
             listKey: relatedListName,
             operation: 'create',
@@ -55,96 +149,203 @@ relatedListConfig, context, config) {
             item: undefined,
             context,
         });
-        // 4. Field validation
+        // 4.5 Field-level validate hooks
+        await executeFieldValidateHooks(item, resolvedData, relatedListConfig.fields, 'create', context, relatedListName);
+        // 5. Field validation (built-in rules)
         const validation = validateFieldRules(resolvedData, relatedListConfig.fields, 'create');
         if (validation.errors.length > 0) {
             throw new ValidationError(validation.errors, validation.fieldErrors);
         }
-        // 5. Filter writable fields
+        // 6. Filter writable fields
         const filtered = await filterWritableFields(resolvedData, relatedListConfig.fields, 'create', {
             session: context.session,
             context,
             inputData: item,
         });
-        // 6. Recursively process nested operations in this item
-        return await processNestedOperations(filtered, relatedListConfig.fields, config, context, 'create');
+        // 7. Recursively process nested operations in this item. This nested row
+        // is itself being CREATED, so its own relations have no pre-existing rows
+        // (parent originalItem is undefined → empty pre-existing set).
+        const { data: nestedData, afterTasks: childAfterTasks } = await processNestedOperations(filtered, relatedListConfig.fields, config, { ...context, prisma }, 'create', relatedListName, undefined, 
+        // This nested row is being CREATED, so its enclosing inputData is its own
+        // create payload (passed to the connect-site owning-field gate, #588).
+        item);
+        // 8. Field-level beforeOperation (side effects) for this nested create
+        await executeFieldBeforeOperationHooks(item, resolvedData, relatedListConfig.fields, 'create', context, relatedListName);
+        // 9. List-level beforeOperation for this nested create
+        await executeBeforeOperation(relatedListConfig.hooks, {
+            listKey: relatedListName,
+            operation: 'create',
+            inputData: item,
+            resolvedData,
+            context,
+        });
+        // 10. Register afterOperation: fires once the parent (and thus this nested
+        // row) has persisted. The created row is recovered by id-diff and paired
+        // to THIS create-payload entry by position (see CreatedRowRecovery), so a
+        // to-many `create: [{A},{B}]` fires once per row, each against its OWN
+        // distinct row, and never against a pre-existing sibling.
+        afterTasks.push({
+            fieldName,
+            run: async (parentResult) => {
+                const createdItem = recovery.rowAt(parentResult, index);
+                if (!createdItem) {
+                    // The created row could not be identified by id-diff — the parent
+                    // write did not return this nested relation (e.g. the underlying
+                    // client does not echo `include`d relations). We must NOT hand an
+                    // id-less `{}` to a hook as if it were the persisted row (finding 4:
+                    // that would fire `afterOperation` against a fabricated item). The
+                    // before-persist hooks have already run; we deliberately SKIP this
+                    // record's create `afterOperation` rather than fire it with a bogus
+                    // item. Real Prisma always echoes the `include`d relation, so this
+                    // skip is reached only by clients/mocks that omit it. `item`
+                    // correctness is the must-have; a missing row is never fabricated.
+                    return;
+                }
+                await executeAfterOperation(relatedListConfig.hooks, {
+                    listKey: relatedListName,
+                    operation: 'create',
+                    inputData: item,
+                    item: createdItem,
+                    resolvedData,
+                    context,
+                });
+                await executeFieldAfterOperationHooks(createdItem, item, resolvedData, relatedListConfig.fields, 'create', context, relatedListName);
+                // Run any deeper nested afterOperation tasks, scoped to the persisted row.
+                await runAfterTasks(childAfterTasks, createdItem);
+            },
+        });
+        return nestedData;
     }));
     return Array.isArray(items) ? processedItems : processedItems[0];
 }
 /**
- * Process nested connect operations
- * Verifies update access to the items being connected
+ * Verify that a single connection target is reachable for the caller.
+ *
+ * Connecting an existing row references it; it does not modify the row's own
+ * data. Mirroring Keystone, this requires **read/query** access on the target
+ * list (not `update`). When query access returns a filter object, the filter is
+ * evaluated in the DATABASE (not in memory) via
+ * `findFirst({ where: { AND: [connection, accessFilter] } })`. The connect is
+ * allowed iff that query returns a row, which correctly handles arbitrary
+ * nested-relation predicates and boolean combinators (`AND`/`OR`/`some`/
+ * `none`/`not`). The existence check is folded into the reachability query so a
+ * non-existent id is still denied.
+ *
+ * In ADDITION to the target read/reachability check (#578), the OWNING
+ * relationship field's field-level access (its `create`/`update` access on the
+ * list being written, e.g. `Post.author`) must permit the connect (#588). This
+ * is the other half Keystone required: a connect needs read access on the
+ * target AND write access on the owning relationship field. If the owning
+ * field's field-level access denies, the connect is denied even when the target
+ * row is readable/reachable.
+ *
+ * Sudo bypasses the entire check (handled by the caller).
+ */
+async function verifyConnectReachable(connection, relatedListName, 
+// eslint-disable-next-line @typescript-eslint/no-explicit-any -- ListConfig must accept any TypeInfo
+relatedListConfig, context, prisma, owningFieldAccess, enclosingOperation, enclosingItem, enclosingInputData) {
+    // Access Prisma model dynamically - required because model names are generated at runtime
+    // eslint-disable-next-line @typescript-eslint/no-explicit-any
+    const model = prisma[getDbKey(relatedListName)];
+    // #588 — gate the connect by the OWNING relationship field's field-level
+    // access (evaluated for the enclosing write's operation). This runs in
+    // addition to the target read/reachability check below; a deny here denies
+    // the connect even if the target row is readable. `checkFieldAccess` returns
+    // `true` under sudo, but the caller already skips this whole function for
+    // sudo, so the gate never fires for trusted writes.
+    //
+    // `item`/`inputData` are the ENCLOSING write's `originalItem`/`inputData` —
+    // the SAME values the canonical Phase-5 `filterWritableFields` call passes for
+    // this field — so a field-access rule that depends on `item` or `inputData`
+    // (e.g. `({ item }) => item.status === 'draft'`) evaluates identically here and
+    // at Phase 5, and the two gates cannot diverge into a spurious connect denial.
+    const owningFieldAllowed = await checkFieldAccess(owningFieldAccess, enclosingOperation, {
+        session: context.session,
+        item: enclosingItem,
+        inputData: enclosingInputData,
+        context,
+    });
+    if (!owningFieldAllowed) {
+        throw new Error('Access denied: Cannot connect to this item');
+    }
+    // Connecting references an existing row; it requires READ (query) access on
+    // the target, not update access.
+    const queryAccess = relatedListConfig.access?.operation?.query;
+    const accessResult = await checkAccess(queryAccess, {
+        session: context.session,
+        context,
+    });
+    // Explicit denial.
+    if (accessResult === false) {
+        throw new Error('Access denied: Cannot connect to this item');
+    }
+    // Full access: still verify the row exists (keep "Item not found" behaviour).
+    if (accessResult === true) {
+        const item = await model.findUnique({ where: connection });
+        if (!item) {
+            throw new Error(`Cannot connect: Item not found`);
+        }
+        return;
+    }
+    // Filter result: confirm the row is reachable under the access filter by
+    // AND-combining the connection identifier with the filter and querying the DB.
+    // A non-existent id and an unreachable row both yield no row → denied. This
+    // correctly evaluates arbitrary nested-relation predicates and boolean
+    // combinators because the database does the matching, not an in-memory walk.
+    const reachable = await model.findFirst({
+        where: { AND: [connection, accessResult] },
+    });
+    if (!reachable) {
+        throw new Error('Access denied: Cannot connect to this item');
+    }
+}
+/**
+ * Process nested connect operations.
+ * Verifies read (query) access to the items being connected via DB reachability
+ * AND the owning relationship field's field-level access (#588).
  */
 async function processNestedConnect(connections, relatedListName, 
 // eslint-disable-next-line @typescript-eslint/no-explicit-any -- ListConfig must accept any TypeInfo
-relatedListConfig, context, prisma) {
+relatedListConfig, context, prisma, owningFieldAccess, enclosingOperation, enclosingItem, enclosingInputData) {
     const connectionsArray = Array.isArray(connections) ? connections : [connections];
-    // Check update access for each item being connected (skip if sudo mode)
+    // Check read access for each item being connected (skip if sudo mode)
     if (!context._isSudo) {
         for (const connection of connectionsArray) {
-            // Access Prisma model dynamically - required because model names are generated at runtime
-            // eslint-disable-next-line @typescript-eslint/no-explicit-any
-            const model = prisma[getDbKey(relatedListName)];
-            // Fetch the item to check access
-            const item = await model.findUnique({
-                where: connection,
-            });
-            if (!item) {
-                throw new Error(`Cannot connect: Item not found`);
-            }
-            // Check update access (connecting modifies the relationship)
-            const updateAccess = relatedListConfig.access?.operation?.update;
-            const accessResult = await checkAccess(updateAccess, {
-                session: context.session,
-                item,
-                context,
-            });
-            if (accessResult === false) {
-                throw new Error('Access denied: Cannot connect to this item');
-            }
-            // If access returns a filter, check if item matches
-            if (typeof accessResult === 'object') {
-                // Simple field matching
-                for (const [key, value] of Object.entries(accessResult)) {
-                    if (typeof value === 'object' && value !== null && 'equals' in value) {
-                        if (item[key] !== value.equals) {
-                            throw new Error('Access denied: Cannot connect to this item');
-                        }
-                    }
-                    else if (item[key] !== value) {
-                        throw new Error('Access denied: Cannot connect to this item');
-                    }
-                }
-            }
+            await verifyConnectReachable(connection, relatedListName, relatedListConfig, context, prisma, owningFieldAccess, enclosingOperation, enclosingItem, enclosingInputData);
         }
     }
     return connections;
 }
 /**
- * Process nested update operations
- * Applies hooks and access control to updates
+ * Process nested update operations.
+ *
+ * Runs the target list's full update input pipeline AND its `beforeOperation`,
+ * then registers an `afterOperation` task receiving `originalItem` (the row
+ * fetched before the write) and the persisted updated `item`.
  */
-async function processNestedUpdate(updates, relatedListName, 
+async function processNestedUpdate(updates, fieldName, relatedListName, 
 // eslint-disable-next-line @typescript-eslint/no-explicit-any -- ListConfig must accept any TypeInfo
-relatedListConfig, context, config, prisma) {
+relatedListConfig, context, config, prisma, afterTasks) {
     const updatesArray = Array.isArray(updates) ? updates : [updates];
     const processedUpdates = await Promise.all(updatesArray.map(async (update) => {
         // Access Prisma model dynamically - required because model names are generated at runtime
         // eslint-disable-next-line @typescript-eslint/no-explicit-any
         const model = prisma[getDbKey(relatedListName)];
-        // Fetch the existing item
-        const item = await model.findUnique({
-            where: update.where,
-        });
-        if (!item) {
+        const where = update.where;
+        // Fetch the existing item — reused as `originalItem` for afterOperation.
+        const originalItem = await model.findUnique({ where });
+        if (!originalItem) {
             throw new Error('Cannot update: Item not found');
         }
+        // The updated row's id is known up front, so the included-result read-back
+        // finds this row directly by id.
+        const knownId = typeof originalItem.id === 'string' ? originalItem.id : undefined;
         // Check update access (skip if sudo mode)
         if (!context._isSudo) {
             const updateAccess = relatedListConfig.access?.operation?.update;
             const accessResult = await checkAccess(updateAccess, {
                 session: context.session,
-                item,
+                item: originalItem,
                 context,
             });
             if (accessResult === false) {
@@ -158,21 +359,23 @@ relatedListConfig, context, config, prisma) {
             operation: 'update',
             inputData: updateData,
             resolvedData: updateData,
-            item,
+            item: originalItem,
             context,
         });
         // Execute field-level resolveInput hooks
-        resolvedData = await executeFieldResolveInputHooks(updateData, resolvedData, relatedListConfig.fields, 'update', context, relatedListName, item);
+        resolvedData = await executeFieldResolveInputHooks(updateData, resolvedData, relatedListConfig.fields, 'update', context, relatedListName, originalItem);
         // Execute validate hook
         await executeValidate(relatedListConfig.hooks, {
             listKey: relatedListName,
             operation: 'update',
             inputData: updateData,
             resolvedData,
-            item,
+            item: originalItem,
             context,
         });
-        // Field validation
+        // Field-level validate hooks
+        await executeFieldValidateHooks(updateData, resolvedData, relatedListConfig.fields, 'update', context, relatedListName, originalItem);
+        // Field validation (built-in rules)
         const validation = validateFieldRules(resolvedData, relatedListConfig.fields, 'update');
         if (validation.errors.length > 0) {
             throw new ValidationError(validation.errors, validation.fieldErrors);
@@ -180,97 +383,263 @@ relatedListConfig, context, config, prisma) {
         // Filter writable fields
         const filtered = await filterWritableFields(resolvedData, relatedListConfig.fields, 'update', {
             session: context.session,
-            item,
+            item: originalItem,
             context,
             inputData: updateData,
         });
-        // Recursively process nested operations
-        const processedData = await processNestedOperations(filtered, relatedListConfig.fields, config, context, 'update');
+        // Recursively process nested operations. This nested row is being UPDATED,
+        // so its own relations' pre-existing rows are captured from `originalItem`.
+        const { data: nestedData, afterTasks: childAfterTasks } = await processNestedOperations(filtered, relatedListConfig.fields, config, { ...context, prisma }, 'update', relatedListName, originalItem, 
+        // This nested row is being UPDATED, so its enclosing inputData is its own
+        // update payload (passed to the connect-site owning-field gate, #588).
+        updateData);
+        // Field-level beforeOperation (side effects)
+        await executeFieldBeforeOperationHooks(updateData, resolvedData, relatedListConfig.fields, 'update', context, relatedListName, originalItem);
+        // List-level beforeOperation
+        await executeBeforeOperation(relatedListConfig.hooks, {
+            listKey: relatedListName,
+            operation: 'update',
+            inputData: updateData,
+            item: originalItem,
+            resolvedData,
+            context,
+        });
+        // Register afterOperation: fires after the parent persist. The updated row
+        // is recovered from the parent's included relation by its known id.
+        afterTasks.push({
+            fieldName,
+            run: async (parentResult) => {
+                const persisted = recoverUpdatedRow(parentResult, fieldName, knownId);
+                const updatedItem = persisted ?? originalItem;
+                await executeAfterOperation(relatedListConfig.hooks, {
+                    listKey: relatedListName,
+                    operation: 'update',
+                    inputData: updateData,
+                    originalItem,
+                    item: updatedItem,
+                    resolvedData,
+                    context,
+                });
+                await executeFieldAfterOperationHooks(updatedItem, updateData, resolvedData, relatedListConfig.fields, 'update', context, relatedListName, originalItem);
+                await runAfterTasks(childAfterTasks, updatedItem);
+            },
+        });
         return {
-            where: update.where,
-            data: processedData,
+            where,
+            data: nestedData,
         };
     }));
     return Array.isArray(updates) ? processedUpdates : processedUpdates[0];
 }
+/**
+ * Process nested delete operations.
+ *
+ * Runs the target list's delete pipeline (validate/field-validate +
+ * `beforeOperation`) before the parent persist, and registers an
+ * `afterOperation` task receiving the `originalItem` (the row before deletion).
+ * Persistence is performed by Prisma's nested write; the row no longer exists
+ * after, so `originalItem` is the authoritative record for after-hooks.
+ */
+async function processNestedDelete(deletes, relatedListName, 
+// eslint-disable-next-line @typescript-eslint/no-explicit-any -- ListConfig must accept any TypeInfo
+relatedListConfig, context, prisma, afterTasks) {
+    // A to-one relation delete can be a boolean (`{ delete: true }`); there is no
+    // identifying `where`, so we cannot run target-resolved hooks. Pass through.
+    if (typeof deletes === 'boolean') {
+        return deletes;
+    }
+    const deletesArray = Array.isArray(deletes) ? deletes : [deletes];
+    await Promise.all(deletesArray.map(async (del) => {
+        // eslint-disable-next-line @typescript-eslint/no-explicit-any
+        const model = prisma[getDbKey(relatedListName)];
+        // A nested delete entry is itself the unique `where` (e.g. `{ id }`).
+        const where = del;
+        const originalItem = await model.findUnique({ where });
+        if (!originalItem) {
+            throw new Error('Cannot delete: Item not found');
+        }
+        // Check delete access (skip if sudo mode)
+        if (!context._isSudo) {
+            const deleteAccess = relatedListConfig.access?.operation?.delete;
+            const accessResult = await checkAccess(deleteAccess, {
+                session: context.session,
+                item: originalItem,
+                context,
+            });
+            if (accessResult === false) {
+                throw new Error('Access denied: Cannot delete related item');
+            }
+        }
+        // List-level validate (delete)
+        await executeValidate(relatedListConfig.hooks, {
+            listKey: relatedListName,
+            operation: 'delete',
+            item: originalItem,
+            context,
+        });
+        // Field-level validate (delete)
+        await executeFieldValidateHooks(undefined, undefined, relatedListConfig.fields, 'delete', context, relatedListName, originalItem);
+        // Field-level beforeOperation (delete)
+        await executeFieldBeforeOperationHooks({}, {}, relatedListConfig.fields, 'delete', context, relatedListName, originalItem);
+        // List-level beforeOperation (delete)
+        await executeBeforeOperation(relatedListConfig.hooks, {
+            listKey: relatedListName,
+            operation: 'delete',
+            item: originalItem,
+            context,
+        });
+        // Register afterOperation: the row is gone after persist, so the
+        // originalItem is the authoritative record passed to after-hooks.
+        afterTasks.push({
+            fieldName: '',
+            run: async () => {
+                await executeAfterOperation(relatedListConfig.hooks, {
+                    listKey: relatedListName,
+                    operation: 'delete',
+                    originalItem,
+                    context,
+                });
+                await executeFieldAfterOperationHooks(originalItem, undefined, undefined, relatedListConfig.fields, 'delete', context, relatedListName, originalItem);
+            },
+        });
+    }));
+    return deletes;
+}
 /**
  * Process nested connectOrCreate operations
  */
-async function processNestedConnectOrCreate(operations, relatedListName, 
+async function processNestedConnectOrCreate(operations, fieldName, relatedListName, 
 // eslint-disable-next-line @typescript-eslint/no-explicit-any -- ListConfig must accept any TypeInfo
-relatedListConfig, context, config, prisma) {
+relatedListConfig, context, config, prisma, afterTasks, recovery, owningFieldAccess, enclosingOperation, enclosingItem, enclosingInputData) {
     const operationsArray = Array.isArray(operations) ? operations : [operations];
     const processedOps = await Promise.all(operationsArray.map(async (op) => {
-        // Process the create portion through create hooks
         const opRecord = op;
-        const processedCreate = await processNestedCreate(opRecord.create, relatedListConfig, context, config);
-        // Check access for the connect portion (try to find existing item) (skip if sudo mode)
+        // Check access for the connect portion (skip if sudo mode).
+        //
+        // connectOrCreate connects an existing row when present, otherwise
+        // creates. So when the row exists we apply the same connect semantics as
+        // processNestedConnect — READ (query) access on the target, evaluated via
+        // DB reachability for filter results, PLUS the owning relationship field's
+        // field-level access (#588). When the row does not exist we fall through to
+        // create. We must NOT swallow an access-denied error: only the genuine
+        // "row absent" case may fall back to create.
+        let rowExists = false;
         if (!context._isSudo) {
-            try {
-                // Access Prisma model dynamically - required because model names are generated at runtime
-                // eslint-disable-next-line @typescript-eslint/no-explicit-any
-                const model = prisma[getDbKey(relatedListName)];
-                const existingItem = await model.findUnique({
-                    where: opRecord.where,
+            // eslint-disable-next-line @typescript-eslint/no-explicit-any
+            const model = prisma[getDbKey(relatedListName)];
+            const where = opRecord.where;
+            const existingItem = await model.findUnique({ where });
+            // Only enforce connect access when the row actually exists; otherwise
+            // the create branch is used.
+            if (existingItem) {
+                rowExists = true;
+                // #588 — gate the connect branch by the OWNING relationship field's
+                // field-level access, identical to processNestedConnect. A deny here
+                // denies the connect even if the target row is readable/reachable.
+                // `item`/`inputData` are the ENCLOSING write's `originalItem`/
+                // `inputData` (the same values Phase-5 `filterWritableFields` passes),
+                // so item-/inputData-dependent field rules cannot diverge between the
+                // two gates.
+                const owningFieldAllowed = await checkFieldAccess(owningFieldAccess, enclosingOperation, {
+                    session: context.session,
+                    item: enclosingItem,
+                    inputData: enclosingInputData,
+                    context,
                 });
-                if (existingItem) {
-                    // Check update access for connection
-                    const updateAccess = relatedListConfig.access?.operation?.update;
-                    const accessResult = await checkAccess(updateAccess, {
-                        session: context.session,
-                        item: existingItem,
-                        context,
+                if (!owningFieldAllowed) {
+                    throw new Error('Access denied: Cannot connect to existing item');
+                }
+                const queryAccess = relatedListConfig.access?.operation?.query;
+                const accessResult = await checkAccess(queryAccess, {
+                    session: context.session,
+                    item: existingItem,
+                    context,
+                });
+                if (accessResult === false) {
+                    throw new Error('Access denied: Cannot connect to existing item');
+                }
+                // Filter result: confirm the existing row is reachable under the
+                // access filter via DB reachability (handles nested/boolean filters).
+                if (accessResult !== true) {
+                    const reachable = await model.findFirst({
+                        where: { AND: [where, accessResult] },
                     });
-                    if (accessResult === false) {
+                    if (!reachable) {
                         throw new Error('Access denied: Cannot connect to existing item');
                     }
                 }
             }
-            catch {
-                // Item doesn't exist, will use create (already processed)
-            }
         }
+        // Process the create portion through the full create pipeline (incl.
+        // before/afterOperation). Only register an afterOperation task when the
+        // create branch will actually run (row absent), so a pure connect does not
+        // fire create hooks. Under sudo we cannot statically know, so we let the
+        // create pipeline run its hooks (sudo bypasses access only, not hooks).
+        const runCreateHooks = context._isSudo || !rowExists;
+        const createAfterTasks = runCreateHooks ? afterTasks : [];
+        const processedCreate = await processNestedCreate(opRecord.create, fieldName, relatedListName, relatedListConfig, context, config, prisma, createAfterTasks, recovery);
         return {
-            where: op.where,
+            where: opRecord.where,
             create: processedCreate,
         };
     }));
     return Array.isArray(operations) ? processedOps : processedOps[0];
 }
+/**
+ * Narrow the lazily-built {@link CreatedRowRecovery} to a present value for the
+ * created kinds (`create`, `connectOrCreate`). It is always provided for these
+ * kinds by {@link processFieldNestedOps}; the guard backstops a programming
+ * error rather than a user-facing path.
+ */
+function requireRecovery(recovery, kind) {
+    if (!recovery) {
+        throw new Error(`Internal error: missing created-row recovery for nested "${kind}"`);
+    }
+    return recovery;
+}
+/** Nested-op kinds that can create new rows and so need created-row recovery. */
+const CREATING_KINDS = new Set(['create', 'connectOrCreate']);
 /**
  * Registry of nested-operation handlers keyed by nested-op kind.
  *
- * The dispatch loop in {@link processNestedOperations} looks handlers up here
- * instead of branching on each kind. Kinds that require hooks/access control
- * (`create`, `connect`, `connectOrCreate`, `update`) provide an `execute` that
- * applies them; pass-through kinds (`disconnect`, `delete`, `deleteMany`,
- * `set`, `updateMany`) return their value unchanged so Prisma's own
- * constraints apply.
+ * Kinds that run the full hook pipeline (`create`, `update`, `delete`, and the
+ * create branch of `connectOrCreate`) run `beforeOperation` inline and register
+ * deferred `afterOperation` tasks. `connect`/`connectOrCreate`'s connect branch
+ * enforce access only. Remaining pass-through kinds (`disconnect`, `set`,
+ * `updateMany`, `deleteMany`) return their value unchanged so Prisma's own
+ * constraints apply — they are intentionally NOT in scope for #569.
  */
 const nestedOpRegistry = {
     create: {
-        execute: ({ value, relatedListConfig, context, config }) => processNestedCreate(value, relatedListConfig, context, config),
+        needsInclude: true,
+        execute: ({ value, fieldName, relatedListName, relatedListConfig, context, config, prisma, afterTasks, recovery, }) => processNestedCreate(value, fieldName, relatedListName, relatedListConfig, context, config, prisma, afterTasks, requireRecovery(recovery, 'create')),
     },
     connect: {
-        execute: ({ value, relatedListName, relatedListConfig, context, prisma }) => processNestedConnect(value, relatedListName, relatedListConfig, context, prisma),
+        needsInclude: false,
+        execute: ({ value, relatedListName, relatedListConfig, context, prisma, owningFieldAccess, enclosingOperation, enclosingItem, enclosingInputData, }) => processNestedConnect(value, relatedListName, relatedListConfig, context, prisma, owningFieldAccess, enclosingOperation, enclosingItem, enclosingInputData),
     },
     connectOrCreate: {
-        execute: ({ value, relatedListName, relatedListConfig, context, config, prisma }) => processNestedConnectOrCreate(value, relatedListName, relatedListConfig, context, config, prisma),
+        needsInclude: true,
+        execute: ({ value, fieldName, relatedListName, relatedListConfig, context, config, prisma, afterTasks, recovery, owningFieldAccess, enclosingOperation, enclosingItem, enclosingInputData, }) => processNestedConnectOrCreate(value, fieldName, relatedListName, relatedListConfig, context, config, prisma, afterTasks, requireRecovery(recovery, 'connectOrCreate'), owningFieldAccess, enclosingOperation, enclosingItem, enclosingInputData),
     },
     update: {
-        execute: ({ value, relatedListName, relatedListConfig, context, config, prisma }) => processNestedUpdate(value, relatedListName, relatedListConfig, context, config, prisma),
+        needsInclude: true,
+        execute: ({ value, fieldName, relatedListName, relatedListConfig, context, config, prisma, afterTasks, }) => processNestedUpdate(value, fieldName, relatedListName, relatedListConfig, context, config, prisma, afterTasks),
+    },
+    delete: {
+        // The row no longer exists after the parent write, so no read-back include.
+        needsInclude: false,
+        execute: ({ value, relatedListName, relatedListConfig, context, prisma, afterTasks }) => processNestedDelete(value, relatedListName, relatedListConfig, context, prisma, afterTasks),
     },
     // Pass-through kinds: no hooks/access control, left to Prisma's own constraints.
-    disconnect: { execute: ({ value }) => Promise.resolve(value) },
-    delete: { execute: ({ value }) => Promise.resolve(value) },
-    deleteMany: { execute: ({ value }) => Promise.resolve(value) },
-    set: { execute: ({ value }) => Promise.resolve(value) },
-    updateMany: { execute: ({ value }) => Promise.resolve(value) },
+    // (Out of scope for #569 — see the issue's "Out of scope" notes.)
+    disconnect: { needsInclude: false, execute: ({ value }) => Promise.resolve(value) },
+    deleteMany: { needsInclude: false, execute: ({ value }) => Promise.resolve(value) },
+    set: { needsInclude: false, execute: ({ value }) => Promise.resolve(value) },
+    updateMany: { needsInclude: false, execute: ({ value }) => Promise.resolve(value) },
 };
 /**
  * Order in which nested-op kinds are processed for a single relationship field.
- *
- * Mirrors the historical in-place dispatch order so behaviour is preserved.
  */
 const nestedOpOrder = [
     'create',
@@ -288,26 +657,55 @@ const nestedOpOrder = [
  * relationship field's value, dispatching each present nested-op kind through
  * the {@link nestedOpRegistry}.
  */
-async function processFieldNestedOps(valueRecord, args) {
+async function processFieldNestedOps(fieldName, valueRecord, args, includeFields, parentListName, parentOriginalItem) {
     const nestedOp = {};
+    // Created-row recovery is only needed when this field has a creating kind
+    // (`create`/`connectOrCreate`). When present it requires a pre-persist read of
+    // the parent's current related ids, so build it once, lazily, and share it
+    // across the creating kinds on this field.
+    let recovery;
+    const hasCreatingKind = nestedOpOrder.some((kind) => CREATING_KINDS.has(kind) && valueRecord[kind] !== undefined);
+    if (hasCreatingKind) {
+        const preExistingIds = await capturePreExistingIds(parentListName, parentOriginalItem, fieldName, args.prisma);
+        recovery = createCreatedRowRecovery(fieldName, preExistingIds);
+    }
     for (const kind of nestedOpOrder) {
         const value = valueRecord[kind];
         if (value === undefined) {
             continue;
         }
         const handler = nestedOpRegistry[kind];
-        nestedOp[kind] = await handler.execute({ ...args, value });
+        if (handler.needsInclude) {
+            includeFields.add(fieldName);
+        }
+        nestedOp[kind] = await handler.execute({
+            ...args,
+            value,
+            fieldName,
+            recovery,
+        });
     }
     return nestedOp;
 }
 /**
- * Process all nested operations in a data payload
- * Recursively handles relationship fields with nested writes
+ * Process all nested operations in a data payload.
+ *
+ * Recursively handles relationship fields with nested writes. In addition to
+ * transforming the payload it runs each nested record's `beforeOperation` and
+ * collects deferred `afterOperation` tasks (run by the Write Pipeline after the
+ * parent persist via {@link runAfterTasks}). See ADR-0010.
  */
-export async function processNestedOperations(data, fieldConfigs, config, context, operation, depth = 0) {
+export async function processNestedOperations(data, fieldConfigs, config, context, operation, parentListName, parentOriginalItem, 
+// The enclosing write's input data (the SAME value Phase-5 `filterWritableFields`
+// passes as `inputData`). Threaded into the connect-site owning-field gate (#588
+// finding) so item-/inputData-dependent field-access rules cannot diverge between
+// Phase 5 and the connect site. `undefined` is tolerated (defaults to `{}`).
+parentInputData = undefined, depth = 0) {
     const MAX_DEPTH = 5;
+    const afterTasks = [];
+    const includeFields = new Set();
     if (depth >= MAX_DEPTH) {
-        return data;
+        return { data, afterTasks, includeFields };
     }
     const processed = {};
     for (const [fieldName, value] of Object.entries(data)) {
@@ -325,15 +723,40 @@ export async function processNestedOperations(data, fieldConfigs, config, contex
             continue;
         }
         const { listName: relatedListName, listConfig: relatedListConfig } = relatedConfig;
-        // Dispatch each present nested-op kind through the handler registry.
-        processed[fieldName] = await processFieldNestedOps(value, {
-            relatedListName,
+        // Sanity: ensure the resolved list name matches the config identity.
+        const resolvedListName = relatedListName || findListName(relatedListConfig, config);
+        // #588 — the owning relationship field's field-level access (e.g. the
+        // `access` on `Post.author`). Threaded into the nested-op handlers so the
+        // connect/connectOrCreate handlers can gate connects by this field's
+        // create/update access, in addition to the target's read access.
+        const owningFieldAccess = fieldConfig.access;
+        processed[fieldName] = await processFieldNestedOps(fieldName, value, {
+            relatedListName: resolvedListName,
             relatedListConfig,
+            owningFieldAccess,
+            enclosingOperation: operation,
+            // The enclosing write's `originalItem`/`inputData` — the SAME values the
+            // canonical Phase-5 `filterWritableFields` call passes for this field — so
+            // the connect-site owning-field gate evaluates item-/inputData-dependent
+            // rules identically and cannot diverge into a spurious connect denial (#588).
+            enclosingItem: parentOriginalItem,
+            enclosingInputData: parentInputData ?? {},
             context,
             config,
             prisma: context.prisma,
-        });
+            afterTasks,
+        }, includeFields, parentListName, parentOriginalItem);
+    }
+    return { data: processed, afterTasks, includeFields };
+}
+/**
+ * Run a set of deferred nested `afterOperation` tasks against a persisted parent
+ * row. Tasks run sequentially so a throwing after-hook aborts the rest (and, run
+ * inside the transaction by the Write Pipeline, rolls the whole write back).
+ */
+export async function runAfterTasks(afterTasks, parentResult) {
+    for (const task of afterTasks) {
+        await task.run(parentResult);
     }
-    return processed;
 }
 //# sourceMappingURL=nested-operations.js.map